Role-Based Access Control
There’s an abundance of records on advanced cyber-attacks in the world today. While there is no sure shot way of avoiding security breaches, there are however, good security practices to follow that can ensure a company’s safety given the plethora of attacking techniques that hackers use. A report released by Cloud Security Alliance titled “The Treacherous Twelve: Cloud Computing Top Threats in 2016” indicates that 22 percent of breached companies reported the reason for the breach to be compromised employee credentials. This article discusses one of those good security practices that should help against attacks involving compromised credentials – Role Based Access Control.
Role Based Access Control, or RBAC in short, is the concept of assigning access to users for a ‘system’, or a computer resource, based on their ‘roles’, or job responsibilities in an organization. To map job roles to system access, the needs of a given workforce have to be analyzed, and users with familiar job responsibilities and tasks should be grouped together to form a ‘role’ with a certain type of access to a system. Hence, every time a new employee joins the organization, he/she is simply assigned a new role, or roles, and based on those roles, he/she gets access to the relevant resources. Moreover, the type of access can also be defined by giving each role read only, read/write or administrative permissions, or even no permissions at all.
RBAC has its roots dating back to 1970s, with the first formal RBAC model proposed in 1992 by National Institute of Standards and Technology. Hence, this strong security approach has been around for years, and it’s time that every company, even small to medium businesses, adapt this approach. While the small size of a company might encourage their IT departments to take an ad-hoc approach to assigning access to users, it becomes unsustainable when the number of users increase, or when the number of systems increase.
With proper use of RBAC, assigning system rights becomes systematic and simple, once setup is in place. Furthermore, auditing user rights becomes much easier. The most important point to keep in mind while defining Access rules, is to follow the principle of Least Privilege. This means that a default or new user account with no roles must not have access to any resources. As an employee grows in a company, and his/her job responsibilities become more definite or increase in number, then he/she can get access to additional resources based on these roles. Hence, for each role, minimal privileges should be assigned based on the nature of job necessities.
There are many tools that can help with setting up RBAC. For example, SAM IT Solutions is a Microsoft Partner and uses Microsoft Active Directory, which has built in roles that can be used as a start point, and then can be extended based on the requirements. Here are 5 tips that should be kept in mind and can help when setting up Role Based Access Control
Keep it Simple – When creating roles, keep in mind the roles posing the biggest financial and security threats. Pay close attention to mitigate these risks first, and then move to lesser threats.
Don’t jump into Technology – Do not start with the available resources /systems that need to be given access, rather start with the business model of the company and define ownership to these resources or data. Then, it can be defined who else needs access and what type of permission.
Don’t make one-off changes – If a user comes up with an unusual need for access, do not break the rules of RBAC. Assign them a new role, and upon task completion, give them their old role back
Risk Assessment – When assigning permissions for a role, a good check to perform would be to analyze the risk in case of a security breach from a user account of that role. Then, a reasonable balance should be chosen between cost of mitigation and providing resource access to a user for that role
Restrict Number of Roles – It is easy to get carried away and define a high level of granularity – as much as a custom role for each user. But, it should be kept in mind that someone has to maintain every role and every rule. Therefore, to enable ease of management, there should be a healthy level of granularity defined in RBAC.